What Is the Sherlock Tool?
The sherlock tool hunts down social media accounts by username. You give it a username, and it checks 400+ social networks to find where that person has an account. It’s one of the most popular open-source OSINT tools on GitHub with over 86,000 stars. I use it regularly during penetration testing engagements when I need to map out a target’s online presence.
Sherlock runs in the terminal, works on Linux, macOS, and Windows, and spits out clean results you can use right away. No databases to set up. No API keys to configure. Install it and go.
1. Installing the Sherlock Tool
Getting sherlock running takes about 30 seconds. You can install it with pip:
pip install sherlock-project
Or clone it from GitHub if you want the latest version:
git clone https://github.com/sherlock-project/sherlock.git
cd sherlock
pip install -r requirements.txt
Once it’s installed, run sherlock --help to see the full list of options. Kali Linux also ships sherlock in its default repositories, so if you’re on Kali you can grab it with sudo apt install sherlock. Either way, you’re up and running in under a minute. The official sherlock GitHub repository has the full documentation and a list of all 400+ supported sites.
2. Basic Username Search with the Sherlock Tool
This is where sherlock shines. Run a single username search like this:
sherlock johndoe
Sherlock checks every social network in its database and returns a list of profiles that match. Results show the URL and whether the account was found, not found, or rate-limited. A green checkmark means the account exists. A red X means it doesn’t.
Here’s what a typical output looks like:
[+] GitHub: https://github.com/johndoe
[+] Twitter: https://twitter.com/johndoe
[+] Reddit: https://reddit.com/user/johndoe
[-] Instagram: Not found!
The output is color-coded and easy to scan. You can redirect it to a file if you want to keep the results. I run this first in every OSINT investigation to get a quick lay of the land.
3. Filtering Results with the Sherlock Tool
Not every social network matters. Sherlock lets you filter which sites to check using the --site flag. This cuts scan time significantly.
sherlock johndoe --site github --site reddit --site twitter
You can also exclude sites you don’t care about. The --exclude flag removes specific platforms from the scan. This is useful when you know certain sites will always return false positives or when you want to avoid adult content platforms.
sherlock johndoe --exclude pinterest --exclude tumblr
I use filtering a lot when I’m targeting a specific region. If I know the subject only uses services popular in Europe, I can skip the Asian-specific platforms and save time.
4. Using the Sherlock Tool with Multiple Usernames
Real investigations involve more than one username. Sherlock accepts a text file with one username per line:
sherlock --usernames targets.txt
Your targets.txt file looks like this:
johndoe
janedoe
bobsmith
admin2024
Sherlock processes each one and prints the combined results. You can dump everything to a JSON file and process it with other tools later. I batch-scan 20 to 30 usernames at once during the reconnaissance phase. It beats checking each one manually by a huge margin.
5. Saving Sherlock Tool Output to Files
Raw terminal output disappears when you close the window. Sherlock supports multiple output formats so you keep your data.
# TXT output
sherlock johndoe --output results.txt
# CSV output (great for spreadsheets)
sherlock johndoe --csv results.csv
# JSON output (best for programmatic use)
sherlock johndoe --output results.json
CSV format is my go-to when I’m handing results to a client. It opens cleanly in LibreOffice or Excel, and they can sort by platform or filter by found status. JSON is better when I’m piping results into another tool like jq for further processing.
6. Checking Specific Sites with the Sherlock Tool
Sometimes you only care about a handful of platforms. Sherlock lets you specify exactly which sites to check instead of running through all 400.
# Check only from a list file
sherlock johndoe --site-list my_sites.txt
# Check all EXCEPT from a list file
sherlock johndoe --exclude-list skip_sites.txt
This speeds things up a lot. Running sherlock against all 400+ sites can take a couple of minutes depending on your connection. Narrowing it to 10 to 20 targets finishes in seconds. I keep a sites.txt file with the 30 platforms I actually care about for most investigations.
You can also control request timing with --timeout. The default is 30 seconds per request, but you can lower it to 10 for faster scans if you’re on a good connection.
7. Integrating the Sherlock Tool with Other OSINT Tools
Sherlock works great as part of a larger OSINT pipeline. Here’s how I chain it with other tools.
First, run sherlock and save output as JSON:
sherlock johndoe --output results.json
Then feed that JSON into other tools. You can extract the found accounts with jq:
jq '.[] | select(.status == "Found") | .url' results.json
This gives you a clean list of live profiles. From there you can run each URL through tools like nmap for infrastructure scanning or waybackurls for historical content. The JSON output format makes sherlock a perfect first step in any automated OSINT workflow.
Scripters can wrap this in a Python or Bash loop that runs sherlock on every username in a list, merges the JSON outputs, and produces a single report. That’s a common setup for red team engagements where you need to profile dozens of targets before the main operation.
Why the Sherlock Tool Belongs in Your Toolkit
The sherlock tool is fast, free, and dead simple. It does one thing and does it well: find social media accounts by username across hundreds of platforms. No API costs. No registration. No fluff.
Whether you’re doing a penetration test, investigating a threat actor, or just curious about your own digital footprint, sherlock saves you hours of manual checking. I keep it installed on every machine I use for security work. If you haven’t tried it yet, give it a shot. You’ll be surprised how many accounts come up for even a random username.
For more security tools and techniques, check out our guides on Trivy for vulnerability scanning and SQLMap for database testing. You can also read more about OSINT methodology at the official sherlock project site and explore the Kali Linux sherlock package page for distribution-specific setup notes.